Continuous backup saves the day when ransomware hits

When the Kentucky Workers’ Compensation Fund was hit by a recent ransomware attack, no one knew about it for a while. An employee got an ominous black screen with a ransom demand on her computer, but just minimized that screen and went about her business.

It was a couple hours before anyone else knew something was wrong, when the clock-in and clock-out database crashed. Systems administrator Rubyanne O’Bryan found an unusual file extension located the infected computer and disconnected it from the network.

Nightly backups are an important security feature, says Russell Lynch, senior IT support specialist, but KESA’s recovery was aided by virtual replication software from Zerto that continuously sends data to an offsite disaster recovery facility.

Russell Lynch

The ransomware file had come in at 2:30 p.m., so going back to the last stream of data before that time saved thousands of files, as well as time and money that would have been spent to go back to KESA’s client management software vendor to recover the data, O’Bryan says.

Further, data protected included a file coming from the bank to cut checks, and rebuilding that file would have been a very involved process, she adds. KESA uses the Zerto technology only for mission-critical servers, with lower-priority servers getting a nightly backup.

Lynch advises other organization to re-evaluate their backup schedules for mission-critical systems. “If you are on a nightly schedule, you won’t make it through an attack.”

KESA learned several lessons from the experience to lower its risk in the event of future hack attempts, Lynch says.

Access to data was restricted to staff on a need-to-know basis.

KESA moved map drives off the database server, as these drives can be shared on multiple computers.

Restrictions on web browsing also were implemented, using software to block some or all access, depending on the tasks being done.

Staff members were re-educated on the dangers of clicking on email links and browsing.

These restrictions also applied to Lynch and O’Bryan, who no longer have full administrator rights, and O’Bryan recommends other organizations do the same. “Almost no one needs full access.”

Importantly, when the attack was discovered and the screen came up with the attacker’s message, it tried to pressure KESA to pay by setting a 96-hour deadline. Rather than going to the next screen to see the ransom demand and instructions for payment, workers never clicked on that initial screen, and KESA never heard from the attacker again.